Showcase: Combining Keychain and 1Password CLI for SSH Keys #151
Description
Hi folks!
I have been using keychain for about 10 years now but recently found a way to integrate 1Password with the Funtoo Keychain workflow.
Like many, I store sensitive secrets like SSH key passphrases in 1Password. While 1Password now offers its own SSH agent, I personally prefer Keychain's approach where my key stays unlocked for my entire login session after a single unlock, rather than potentially needing more frequent re-authentication as I experienced with the native agent.
Essentially, the integration uses the standard SSH_ASKPASS mechanism. I created a small helper script that calls the 1Password CLI (op read ...) to fetch the passphrase. By setting the SSH_ASKPASS environment variable to point to this script before running keychain, ssh-add (when invoked by keychain) automatically and securely gets the passphrase from 1Password at the time the key is added.
I've written up the complete process, including the helper script, an orchestration script sourced by .zshrc (which also handles checking if op is installed), and explanations in a blog post here:
https://www.nijho.lt/post/ssh-1password-funtoo-keychain/
I'm sharing this in case other Keychain users who rely on 1Password find this pattern useful. It provides a nice way to combine the strengths of both tools – Keychain's persistent agent management and 1Password's secure secret storage.
Thanks for creating this great utility!